[strongSwan] Fw:VTI -Route Based Tunnel not coming up
vic
vic at speedycloud.cn
Wed Oct 18 10:29:24 CEST 2017
Hi andreas,
I have followed the procedures clearly , but i could n't bring the tunnel up. can you help me out to find the bug in the configuration.
10.0.53.0/24 Server A (69.28.X.X) ----------IP Sec Tunnel-------------- (106.2.X.X)Server B 10.56.0.0/24
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
conn VTI
auto=start
type=tunnel
aggressive=no
ike=aes256-sha1-modp1024,3des-sha1-modp1024
esp=aes256-sha1,3des-sha1
mark_in=1
mark_out=1
left=106.2.X.X
leftsubnet=10.56.2.0/24
leftauth=psk
leftfirewall=yes
right=69.28.X.X
rightsubnet=10.0.53.0/24
rightauth=psk
rightfirewall=yes
ipsec.secrets.
106.2.X.X 69.28.X.X : PSK secret
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SERVER B
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
conn VTI
auto=start
closeaction=restart
type=tunnel
aggressive=no
ike=aes256-sha1-modp1024,3des-sha1-modp1024
esp=aes256-sha1,3des-sha1
mark_in=1
mark_out=1
left=69.28.X.X
leftsubnet=10.0.53.0/24
leftauth=psk
leftfirewall=yes
right=106.2.X.X
rightsubnet=10.56.2.0/24
rightauth=psk
rightfirewall=yes
---------------------------------------------------------------------------------------------------------------------------------------------
Routing:
# Create a VTI link on Site1 server A with same mark as the connection:
ip link add vti0 type vti local 69.28.X.X remote 106.2.X.X key 32
# Add route to tunnel:
ip route add 69.28.X.X.0/24 dev vti0--------------------------------------------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------------------------------------------
# Create a VTI link on Site2 server B with same mark as the connection:
ip link add vti0 type vti local 106.2.X.X remote 69.28X.X key 32
# Add route to tunnel:
ip route add 106.2.X.X.0/24 dev vti0
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
SERVER B output
ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.0, Linux 4.4.0-93-generic, x86_64):
uptime: 4 seconds, since Oct 18 16:13:00 2017
malloc: sbrk 1753088, mmap 0, used 352816, free 1400272
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
69.28.X.X
10.0.X.X
Connections:
VTI: 69.28.X.X...106.2.X.X IKEv2
VTI: local: [69.28.X.X] uses pre-shared key authentication
VTI: remote: [106.2.X.X] uses pre-shared key authentication
VTI: child: 10.0.53.0/24 === 10.56.2.0/24 TUNNEL
Security Associations (0 up, 1 connecting):
VTI[1]: CONNECTING, 69.28.X.X[%any]...106.2.X.X[%any]
VTI[1]: IKEv2 SPIs: 9aa246cce07c3d09_i* 0000000000000000_r
VTI[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
If you do not mind can you provide some sample configuration to establish route based ipsec VPn (VTI) .between two ubuntu servers.
Regards,
Vic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171018/79615084/attachment-0001.html>
More information about the Users
mailing list